agenttesla | 9eea541ed0c69e64ac52d8ac29333c4878a91328179cf03c3979530009993dd2

General

Target

po.exe
Size

450KB
MD5

210f27a2075e3f821cfb160cbfb851d4
SHA1

199bd194efdb4850c6f9b82f0ae250c8f0e6cc9e
SHA256

7850417d2c934eda23e7c968df7b7ef4d76c85328092b10826c3a8652388dba7
SHA512

dc62ab5e3bf8374af409c5caa95dc094cb3b0d487d91423ebebfbe3cca7293ff3166ad67c6805afe686367f2bb8dd05c28ae67349b032ce6aee7610e04aed06c

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.dianaglobalmandiri.com
Port:
587
Username:
[email protected]
Password:
Batam2019

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2248-138-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

po.exe

description pid process target process

PID 1336 set thread context of 2248 1336 po.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3252 2248 WerFault.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

po.exeRegSvcs.exe

pid process

1336 po.exe
1336 po.exe
1336 po.exe
1336 po.exe
2248 RegSvcs.exe
2248 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

po.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1336 po.exe
Token: SeDebugPrivilege 2248 RegSvcs.exe

description	pid	process	target process
PID 1336 set thread context of 2248	1336	po.exe	RegSvcs.exe

pid	pid_target	process	target process
3252	2248	WerFault.exe	RegSvcs.exe

pid	process
1336	po.exe
1336	po.exe
1336	po.exe
1336	po.exe
2248	RegSvcs.exe
2248	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1336	po.exe
Token: SeDebugPrivilege	2248	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

po.exe

description	pid	process	target process
PID 1336 wrote to memory of 4956	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 4956	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 4956	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 4228	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 4228	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 4228	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 2248	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 2248	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 2248	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 2248	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 2248	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 2248	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 2248	1336	po.exe	RegSvcs.exe
PID 1336 wrote to memory of 2248	1336	po.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\po.exe
"C:\Users\Admin\AppData\Local\Temp\po.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:4228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1516
3⤵
- Program crash
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2248 -ip 2248
1⤵
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-130-0x00000000001B0000-0x0000000000226000-memory.dmp

Filesize
472KB

Download
memory/1336-131-0x00000000052D0000-0x0000000005874000-memory.dmp

Filesize
5.6MB

Download
memory/1336-132-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/1336-133-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

Filesize
40KB

Download
memory/1336-134-0x0000000008310000-0x00000000083AC000-memory.dmp

Filesize
624KB

Download
memory/2248-137-0x0000000000000000-mapping.dmp

Download
memory/2248-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2248-139-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/2248-140-0x0000000006300000-0x0000000006350000-memory.dmp

Filesize
320KB

Download
memory/4228-136-0x0000000000000000-mapping.dmp

Download
memory/4956-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads